From a253d6fe89bbfcfbf06465ac2a163d94f937f3e7 Mon Sep 17 00:00:00 2001
From: Joe Farebrother <joefarebrother@github.com>
Date: Thu, 24 Aug 2023 11:02:21 +0100
Subject: [PATCH] Apply minor reveiw suggstions

---
 .../security/auth/InsecureDirectObjectReferenceQuery.qll      | 4 ++--
 .../CWE-639/InsecureDirectObjectReference.qhelp               | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll
index 462af455af367..3d2db41a83ca0 100644
--- a/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/auth/InsecureDirectObjectReferenceQuery.qll
@@ -12,7 +12,7 @@ import ActionMethods
 // Other queries check that there are authorization checks in place for admin methods.
 private predicate needsChecks(ActionMethod m) { m.isEdit() and not m.isAdmin() }
 
-private Expr getParentExpr(Expr ex) { result = ex.getParent() }
+private Expr getParentExpr(Expr ex) { result.getAChildExpr() = ex }
 
 /**
  * Holds if `m` has a parameter or access a remote flow source
@@ -41,7 +41,7 @@ private predicate checksUser(ActionMethod m) {
 
 /**
  * Holds if `m` is a method that modifies a particular resource based on
- * and ID provided by user input, but does not check anything based on the current user
+ * an ID provided by user input, but does not check anything based on the current user
  * to determine if they should modify this resource.
  */
 predicate hasInsecureDirectObjectReference(ActionMethod m) {
diff --git a/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp b/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp
index fc31d45267d63..8e82ac6f1bb61 100644
--- a/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp	
+++ b/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.qhelp	
@@ -5,7 +5,7 @@
 <overview>
 <p>When an action method accepts an ID parameter used to control which resource (e.g. a comment, a user profile, etc) 
 is being accessed/modified, checks should me made to ensure that the current user is authorized to access that resource. 
-Otherwise, an attacker could access an arbitrary resource by modifying the ID parameter.</p>
+Otherwise, an attacker could access an arbitrary resource by guessing the ID parameter.</p>
 
 </overview>
 <recommendation>